The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government.
That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis.
"Their diverse toolset shows consistent coding patterns across malware families, particularly in

Researchers Detail Bitter APT’s Evolving Tactics as Its Geographic Scope Expands

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these…

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these sophisticated attacks trick users into running malware and what to watch out for.

Cybersecurity experts at Cofense Intelligence are warning hotel chains and other businesses in the food and accommodation sector about an email scam that mimics Booking.com. These deceptive emails are part of attack campaigns known as ClickFix, which aims to trick users into running malicious software.

The ClickFix campaign has been steadily gaining traction since November 2024, with a notable acceleration in recent months. According to Cofense’s analysis, a staggering 47% of the total campaign volume was observed in March 2025 alone.

The firm’s active threat reports (ATRs) indicate that 75% of all incidents involving fake CAPTCHAs utilized Booking.com-themed ClickFix templates. While Booking.com impersonations are most common, Cofense also noted less frequent variations, including those spoofing Cloudflare Turnstile and cookie consent banners.

****How the Scam Works****

The scam begins with an email containing a link to a fake CAPTCHA website. A CAPTCHA is usually a test designed to tell humans and computers apart, like typing distorted letters. In this case, however, the fake CAPTCHA is a trick. Instead of a real verification code, clicking on it delivers a harmful script to the user’s computer.

These ClickFix websites then instruct users to press specific keyboard shortcuts, typically Windows key + R, followed by Ctrl + V, and then Enter. This sequence opens the Run command in Windows, pastes the hidden malicious script, and then executes it. The malicious script often includes extra characters that look like a _verification code_ to hide the real harmful commands.

These sites are cleverly designed to look like legitimate pages from well-known brands such as Booking.com and Cloudflare. Interestingly, the scam only targets Windows computers, and if accessed on other devices, the fake CAPTCHA sites will display a message indicating they only work on Windows.

****What Malware is Being Delivered?****

Once the malicious script is run, it can install various types of dangerous software. The most common payload seen in these attacks is XWorm RAT, a type of Remote Access Trojan (RAT). For your information, RATs allow attackers to secretly control a victim’s computer from a distance.

Other frequently observed malware include Pure Logs Stealer and DanaBot, which are information stealers designed to swipe sensitive data. In some instances, both RATs and information stealers have been delivered in a single attack.

Sample Attack Chain (Source: Cofense)

This ClickFix method is a concerning new tactic because it manipulates users into activating the malware themselves, without needing to download any files directly. It highlights the importance of being cautious about suspicious emails, even those that appear to be from trusted sources like Booking.com, and to always double-check the legitimacy of any verification steps or prompts that ask you to run commands on your computer.

For more detailed information on how to spot these ClickFix attacks, refer to Hackread.com’s guide on the techniques used to trick users and how to stay safe.

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.

Artificial intelligence (AI) and small business tools are being abused as smokescreens to hit unsuspecting victims with ransomware.

In the masquerade campaigns discovered by Cisco Talos, cybercriminals hid malware behind software and install packages that mimicked the websites or names of the lead monetization service Nova Leads, the enormously popular Chat GPT, and an AI-empowered video tool called InVideo AI.

As small businesses quickly adopt AI tools—a recent survey from the US Chamber of Commerce and the strategy firm Teneo revealed that 98% of small businesses already use at least one AI-powered product and 40% use generative AI—these cybercriminal lures pose the next, big threat to sole proprietors and boutique shops.

According to the researchers at Cisco Talos, the threat is twofold.

“Unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” Talos said. “This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions.”

In the first potential online attack, Talos found that cybercriminals created a fake website that closely resembled that of the legitimate company Nova Leads. The company helps businesses with lead monetization through acquisition, conversion, and content creation. But rather than simply copying the look and feel of Nova’s website, the cybercriminals also offered a completely fake, AI-powered product called “Nova Leads AI.”

On the malicious website, users were prompted to download Nova Leads AI for ”free access” for 12 months. If users downloaded and installed the fake software, the ransomware CyberLock was instead deployed. Researchers at Talos analyzed how CyberLock moved throughout a network and retrieved the ransom note left behind by the cybercriminals. In it, the ransomware gang claimed, falsely, that their attacks were altruistic.

“We want to assure you that your payment does not go to us,” the ransomware gang said in its note. “It will instead go to support affected women and children in Palestine, Ukraine, Africa, Asia, and other regions where injustices are a daily reality.”

In the note, victims are directed to pay $50,000 in cryptocurrency. The ransomware campaign is particularly dangerous as cybercriminals managed to manipulate SEO practices to rank their malicious website near the top of relevant online searches. This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites.

In a second potential attack, Talos found that a software installer labeled “ChatGPT 4.0 full version – Premium.exe” was actually hiding the ransomware Lucky\_Gh0$t. Interestingly, the files contained within the installer also contained legitimate open-source AI tools from Microsoft, likely as an evasion technique to ward off any antivirus tools inspecting the package for malware.

Though the Lucky\_Gh0$t ransom note did not include a specific dollar amount, the cybercriminals displayed a starkly different attitude from CyberLock’s alleged humanitarianism:

> “We are not a politically motivated group and we do not need anything other than your money.”

In the last potential attack, Talos found a new malware that the team dubbed “Numero.” Though it is not officially a form of ransomware, Talos found that, once deployed, it effectively renders systems “completely unusable.”

Talos discovered that the malware’s internal data co-opted the product and organizations names of the service InVideo AI, an AI-powered video generation service that can be used for marketing, content, and more.

While cybercriminals have long disguised their malware under popular brands, the emergence of AI—and its popularity for small businesses—highlight the dangers that small shops face simply for trying to do business online. But there is help at hand.

****How to protect your small business from ransomware****

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

*   **Block common forms of entry.** Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
*   **Prevent intrusions and stop malicious encryption.** Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 Ransomware hiding in fake AI, business tools 

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

Title: ABB Cylon Aspect 3.08.04 (DeploySource) Unauthenticated Remote Code Execution  
Advisory ID: ZSL-2025-5954  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS  
Risk: (5/5)  
Release Date: 04.06.2025

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. This bypass grants access to privileged functionality, including the DeploymentServlet, which is vulnerable to directory traversal. By leveraging this, an attacker can write arbitrary PHP files outside the intended directory scope. When combined, these issues allow remote attackers to upload a malicious PHP shell and execute system commands with the privileges of the web server, leading to full system compromise.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.04

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[21.05.2025\] No response from the vendor.  
\[04.06.2025\] Public security advisory released.

**PoC**

abb\_aspect\_rce28.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

N/A

**Changelog**

\[04.06.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

ABB Cylon Aspect 3.08.04 (DeploySource) Unauthenticated Remote Code Execution

Google has disclosed details of a financially motivated threat cluster that it said "specialises" in voice phishing (aka vishing) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion.
The tech giant's threat intelligence team is tracking the activity under the moniker UNC6040, which it said exhibits characteristics that align with

Google Exposes Vishing Group UNC6040 Targeting Salesforce with Fake Data Loader App

Today, your internet presence is much more than just a website or social media profile, it’s like your…

Today, your internet presence is much more than just a website or social media profile, it’s like your business card, reputation and main medium of staying connected. However, with this visibility comes genuine danger. Do you know what’s one of the most troublesome threats hiding out there? DDoS attacks! If you have not heard this term before, no need to worry. Let’s simplify it and understand how to protect your online space from it.

****DDoS: What it Means****

DDoS is short for Distributed Denial of Service. It may sound complicated, but basically, it means overwhelming a server or website with excessive fake traffic until it falls apart. Imagine a coffee shop where suddenly many people arrive at the same time, not to buy anything, just to block the space. In this situation, real customers are unable to enter and the business comes to a halt. This is primarily what occurs during a DDoS attack – it’s bots that cause this blockage.

Usually, these kinds of attacks are started by using networks of computers that have been taken over – many times they belong to people who don’t even know. This is what is meant by “distributed”. When it starts, your website could either become very slow or completely unavailable.

****Why You Should Care (Even If You’re a Small Business)****

At this point, it’s normal to think, “I don’t have a major brand, just a small business” or “I just run a personal blog.” DDoS attacks can also be used against much smaller businesses. Smaller sites are targeted quite often because attackers believe their security is not as strong. Truth is, when your website goes down, even briefly, it affects your reputation, and your budget and makes your customers or users unhappy.

In addition, a DDoS attack can stop your service or online store from operating. People can’t order or get answers which causes them to doubt the business. It can be very irritating, but it can also be truly harmful.

****Start with Strong Hosting****

A solid first action is to select a reliable hosting provider. Hosting providers are not all the same and some are better prepared to handle DDoS attacks than others. Find hosting providers that guarantee or promote DDoS protection through their services. This is because they have effective steps to prevent and handle an attack early on.

Don’t hesitate and ask your hosting provider which security measures they have for your website. If their responses are unclear or they treat security lightly, this is a warning sign. You should choose a provider that handles the back-end work and protects your site from malicious users at the same time.

****Get a CDN Working for You****

For even better performance, allow your website to tap into a CDN. A Content Delivery Network uses multiple servers worldwide to distribute the activities involved in content delivery. Therefore, all the requests are not delivered to your main server at the same time. If there is a DDoS attack, the distribution system can save you.

****Firewalls and Rate Limiting****

Firewalls act like filters, they inspect incoming traffic and stop suspicious things before reaching your main systems. Web Application Firewalls (WAFs) are specially designed to block the kind of unwanted traffic that DDoS attacks cause.

Next, we have rate limiting – this is a background function that restricts how frequently someone can interact with your site. If something is making constant requests to your server, it will be flagged or stopped.

****Keep an Eye on What’s Happening****

A lot of damage from DDoS attacks happens because people don’t notice it early enough. So, make sure to monitor your site’s traffic. Sudden increases, constant hits to one page or visits from strange places can all suggest concerns. 

Many tools exist today that make website monitoring easy. Some of these are included in hosting plans, while others can be added by you manually. You don’t need advanced coding skills – just some understanding of this domain is quite helpful.

****Have a Contingency Plan****

Regardless of how strong your security is, things can still go wrong. So it’s smart to have a plan in case you do get hit. Be aware of who you should reach out to when problems occur – this could be your host, a protective service or someone experienced in such matters.

Maintain updated backups and ensure you are familiar with quick restoration. Additionally, inform your users about the ongoing situations. Clear communication can go a long way in keeping trust intact during tough times.

****Call in the Pros if You Need to****

Feeling overwhelmed? Managed security services exist for a reason. These individuals are experts in detecting threats and reacting quickly, so you don’t need to be on guard all the time.

Yes, it costs money. However, if your business relies on your online presence, the expense may be worthwhile simply for the reassurance. Think of it as employing a security guard for the night shift at your virtual store.

****Keep Everything up to Date****

This may seem like the basics of cybersecurity, but it’s important to keep your devices updated. Old plugins, CMS versions or themes can be great opportunities for hackers. Fix those gaps before anyone else discovers them.

Nevertheless, DDoS attacks are very serious, but they’re not impossible to defeat. By using intelligent strategies such as improving hosting services, CDNs, traffic filters and constant monitoring you can significantly reduce your risk.

(Image by Free stock photos from www.rupixen.com from Pixabay)

How to Protect Your Online Presence from Devastating DDoS Attacks

President Donald Trump has proposed building a massive antimissile system in space that could enrich Elon Musk if it materializes. But experts say the project’s feasibility remains unclear.

During A Press conference in the Oval Office late last month, US President Donald Trump doubled down on his plan to build a massive new missile defense system, largely based in space, he is calling the “Golden Dome.” In recent weeks, defense companies have begun vying for anticipated government contracts tied to the project, and three firms with deep connections to the White House—SpaceX, Palantir, and Anduril—have been named as purported front-runners.

Trump ordered plans to be drawn up for the Golden Dome within days of returning to office in January, and he said in May that it would be operational by the end of his term in January 2029. But behind the scenes over the past few months, competing defense companies and industry experts have told WIRED the future of the project isn’t certain.

They say it’s unclear whether the missile shield could be constructed in space the way Trump wants and how many contracts will ultimately be awarded. Trump recently claimed that he had selected a $175 billion design for the shield, but some experts expect the cost to be far greater, and they question how it will be paid for.

Although it has been compared to Israel’s Iron Dome missile defense system, some sources noted that a project of the Golden Dome’s size and scope has never been built before. “The Manhattan Project element of this is just simply the scale,” says John Clark, senior vice president of technology and strategic innovation at Lockheed Martin. “The technologies exist. The integration strategies we've demonstrated, they are available. It's really, how do you scale this?"

Trump said on May 20 that he had chosen Space Force general Michael Guetlein as a “lead program manager” for the Golden Dome. But Clark says that a number of different branches of the US military and federal government have been “providing feedback and insight” as part of the planning process, including a specialized group inside the Department of Defense called the Missile Defense Agency, as well as the Space Force, Space Development Agency, the Army, the Navy, and the Air Force. It’s unclear how many of them will ultimately remain involved.

“What I am seeing and hearing in our conversations is that each agency is still trying to understand where they fit into this really broad mission and architecture,” says Susanne Hake, general manager of US government business at the geospatial intelligence firm Maxar.

Mark Montgomery, executive director of the Cyberspace Solarium Commission, a government body that advises US policymakers on cyber- and space-based threats, believes that SpaceX is almost certainly going to play a major role in the initiative because of its existing dominance in the commercial space launch sector.

“The only thing I'd say is consistent, and almost definitely true, is SpaceX is going to be part of the launch cycle,” says Montgomery, who says it “would be criminal” to pick winners and losers this early in the process.

In mid-April, CEO Elon Musk said publicly that SpaceX “has not tried to bid for any contract” tied to the Golden Dome project. (It’s not possible at this stage for firms to make formal bids.) He added that he hopes “other companies” can work on it instead.

Musk did not respond to a request for comment asking what role he may have played in SpaceX’s work related to the Golden Dome.

Clark says that Lockheed Martin is having early-stage conversations with SpaceX, Palantir, and Anduril, as well as many other companies that it could eventually enter into partnerships with to work on the Golden Dome. “Candidly, I think it's a little premature to lock in on a team when you don't know exactly what the requirements are,” he tells WIRED.

Hake says that Maxar is also in early talks with other firms. She argues that Maxar’s products—such as imaging technology that can detect objects in low Earth orbit—are “pretty differentiated” from anything that SpaceX, Palantir, or Anduril have, meaning Maxar wouldn’t be in direct competition with them.

Clark says that Lockheed Martin has proposed an approach for the Golden Dome that involves building out the existing US missile defense system regionally, then nationally. The current system already includes many components from Lockheed Martin, including land- and sea-based antimissile systems, as well as a long-range radar for detecting missiles.

“Right now, that system has been attributed to ensuring, you know, zero US fatalities,” Clark says.

Anduril declined to comment. The US Department of Defense, SpaceX, and Palantir did not respond to requests for comment from WIRED.

**Why Upgrade?**

When Trump initially demanded the creation of a “next-generation” missile defense system in January, he referred to the project as the "Iron Dome Missile Defense Shield." It was later rebranded as a “Golden Dome for America,” according to a request for information published in April by the Missile Defense Agency.

An earlier February notice asked private companies to detail technological capabilities they possess that could help make the Golden Dome happen, including artificial intelligence and building space-based missile interceptors. It also outlined a laundry list of bells and whistles the Trump administration wants the shield to have, such as space-based sensors (for defending against hypersonic and ballistic missiles), a large satellite system for encrypted communications across the US military, and new weapons for striking down missiles both before and after they launch.

The existing system the US uses to protect itself from missiles and nuclear warheads relies on a constellation of radar sensors and launchpads equipped with antimissile ballistics stationed on US Navy ships and military vehicles around the world. It has the capability to detect when other countries launch missiles, track their paths, and intercept the weapons without detonating them. But many experts worry it’s woefully inadequate and can’t fully protect the US from the nation’s most pressing national security threats.

“We just kind of wished away the problem,” says Montgomery.

While the US military has spent lavishly on missile defense over the past few decades, it has “little to show” for it, argues a recently revised report published by the Panel on Public Affairs of the American Physical Society, a nonprofit that researches physics and other scientific issues.

The authors, who noted that US funding for missile defense typically only increases in response to things like “presidential advocacy,” concluded that America’s current system couldn’t reliably take down missiles and warheads from North Korea, let alone attacks from more sophisticated actors.

Montgomery tells WIRED that the US should be particularly concerned about advanced long-range ballistic and hypersonic missiles from China, Russia, and Iran.

**Going to Space**

Laura Grego, a senior research director at the Union of Concerned Scientists and a coauthor of the report, says she gets why the Trump administration wants the ability to launch missile interceptors from space.

Interceptors launched from land sites may have to travel hundreds of miles horizontally, while an interceptor in space needs to travel only a short distance to reach a missile and stop it in its tracks. “Most people's intuition is that space is far away,” Grego says. “But in this case, space is close. Space is about as close as you can get.”

Grego adds that the idea of building a futuristic antimissile system in the sky has preoccupied American leaders on and off for decades. President Ronald Reagan proposed a similar plan in the early 1980s nicknamed the “Star Wars” program by critics, which consisted of a space-based laser system to shoot down ballistics. While the kinds of technologies Reagan proposed using weren’t feasible at the time, they are now, Grego says.

Montgomery says that the US government will likely need to choose between building a new space-based system or building up its land-based system, because it would simply be too expensive to do both. “If you go down that second path of legacy systems now, you'll inevitably come up short on your space-based funding later,” he says.

But Grego says she believes that a space-based missile interceptor system would be highly vulnerable and impractical, because it requires using missile interceptors carried aboard satellites. Since the satellites would be constantly moving relative to the Earth's surface, the US would need an astronomical amount of interceptors to offer full protection.

Grego says that it only works when it's totally complete. “If you're able to pick apart that constellation and punch holes in it by using anti-satellite weapons or other types of attacks to the system, that whole thing basically becomes useless,” she explains.

Grego adds that a space-based interceptor system would likely cost trillions of dollars between building, launching, and replacing the interceptors—even considering the fact that new technology developed by SpaceX has helped push down the cost of satellite launches considerably in recent years. Satellites circling the earth in low Earth orbit also fall into the atmosphere and burn up after about three to five years, meaning components will need to be replaced regularly.

Trump dismissed concerns about how much the system will cost when asked about it by reporters last month. “We took in $5.1 trillion in the last four days in the Middle East, and when you think about it, this is a tiny fraction of that,” he said. (Prior reports pegged the deals to be worth more than $1 trillion, though the final amount remains unclear, and none of the deals are explicitly related to the Golden Dome.)

Montgomery says that cost isn’t necessarily a reason to rule out a space-based missile defense system entirely. “I’d spend as little as possible on legacy ground-based interceptors, because I think there's limited return in them over time,” he says. “They're expensive, and they're configured for yesterday's threat, and maybe today's threat, but probably not tomorrow's threat.”

The greatest danger of any version of the Golden Dome, Grego says, is that it could spark an arms race. Russia and China will likely view the missile defense system as a threat, because if the US becomes effectively immune to missile attacks, those countries fear American forces could act without fear of retaliation.

To counter this, Grego says, Russia and China may respond by building more offensive missiles to overwhelm or bypass American defenses, ultimately fueling an “unstable” cycle of escalation. “If your adversary builds up defenses so that they're immune, they're no longer vulnerable to you, then you have to do something,” she says.

When asked about concerns about the risk of an arms race at a press conference in May, Trump simply said, “Well, they’re wrong,” adding that the Golden Dome will be “about as close to perfect as you can have.”

The Race to Build Trump’s ‘Golden Dome’ Missile Defense System Is On

A major cyberattack on the US electrical grid has long worried security experts. Such an attack wouldn’t be easy. But if an adversary pulled it off, it’d be lights out in more ways than one.

When the lights went out across the Iberian Peninsula in April, everything ground to a halt. Scores of people were trapped in Madrid’s underground metro system. Hospitals in Lisbon had to switch to emergency generators. Internet service as far away as Greenland and Morocco went down.

While the cause remains unclear, the actual damage to the Iberian power grid—and the people it serves—was relatively minor. Less than 24 hours after the outage began, the region’s electricity operators managed to get the grid back online.

Even if things could have been much worse, the outage was both an unnerving reminder of how suddenly things can go offline.

For years, cybersecurity professionals, watchdogs, and government agencies have warned that a malicious cyberattack on the US power grid could be devastating. With ample evidence that state-sponsored hacking groups are eyeing the decentralized and deeply vulnerable power grid, the risk is more acute than ever.

Case in point: Hackers, believed to be linked to the Chinese government, spent years exploiting vulnerabilities in critical infrastructure across the mainland United States and Guam to obtain access to their systems. The operations, dubbed Volt Typhoon, could have used this access to shut down or disconnect parts of the American power grid—throwing millions into the dark. The effort was, luckily, disrupted and the vulnerabilities patched. Still, it is an unnerving illustration of just how vulnerable the electric system truly is.

We know what such a hack could look like. In 2015, Ukraine experienced the world’s first large-scale cyberattack on an electrical grid. A Russian military intelligence unit known as Sandworm disconnected various substations from the central grid and knocked hundreds of thousands of people offline.

The attack on Ukraine was repaired quickly, but cybersecurity experts have been warning for years that the next one might be more devastating.

Unlike Ukraine, America does not have a single power grid—it has three large interconnections, broken down into a network of smaller regional systems, some of which stretch into Canada. Most of the East is on one grid, most of the West is on another, while Texas and Alaska run their own interconnections. Keeping these networks running is a wildly complicated effort: There are thousands of utility operations, tens of thousands of substations, and hundreds of thousands of miles of high-voltage transmission lines.

Photograph: Michael Tessier

To some degree, this decentralized network is an asset, as it means there is no core vulnerability that risks knocking the entire country offline. But the interconnections mean that a failure in one corner of the grid could cause a cascade that takes down the entire system.

In 2018, researchers from Northwestern University ran large-scale models, gaming out what would happen if parts of the grid failed. They found that, generally, the American power grid was resilient. However, they found that about 10 percent of power lines in the US were susceptible to the kind of failure that could trigger this domino effect under some conditions. A 2022 study that looked at possible disruptions to the Texas grid also found that, in some cases, a relatively small disruption could cause a series of downstream outages “rapidly in succession.”

This means that even if malicious actors manage to take only a small number of nodes in the network offline, it has the potential to do enormous downstream damage.

Insurance underwriter Lloyd’s of London has looked at the effects of such an outage. In this hypothetical, first drafted in 2015 but updated in the years since, Lloyd’s estimates that a Trojan virus that manages to infect just 50 generators—removing 10 percent of the grid’s total power—can trigger this cascade effect and knock out power for most of the East Coast, including New York City and Washington, DC. The Lloyd’s report states that this is an “extreme” but “not unrealistic scenario.”

“Images of a dark New York City make front pages worldwide,” they write, “accompanied by photographs of citizens stuck underground for hours on stranded subway cars and in elevators in the summer heat.”

These rolling blackouts would stretch through 36 states over the course of a day, throwing some 93 million people into the dark. It could take up to three days for half of those people to get back online—while hardware damage and other problems could require up to three weeks to fix.

As the outages continue, more difficulties arise. The analysts warn that an information campaign running parallel to the cyberattack could prompt strikes, protests, or general unrest.

In 2016, then Federal Emergency Management Agency administrator Craig Fugate was summoned to Congress to testify on the possible impacts of a cyberattack on the US electric grid. Water and wastewater systems are some of the first things to go down, he noted. “There is not really a good way to manage that if those systems go offline for extensive periods of time,” Fugate said.

He explained that the emergency response will become a game of triage: distributing enough power, gas, and generators to emergency services and utilities, while also trying to keep consumer-facing supply chains operating.

“Can you get enough life support and infrastructure going to keep the major supply lines up?” Fugate continued. “You are not going to have everything. You are not going to have what the normal consumption rates are.”

Lloyd’s estimates that the total economic costs and losses could hit $1 trillion.

The US Grid Attack Looming on the Horizon

In the very near future, victory will belong to the savvy blackhat hacker who uses AI to generate code at scale.

In the near future one hacker may be able to unleash 20 zero-day attacks on different systems across the world all at once. Polymorphic malware could rampage across a codebase, using a bespoke generative AI system to rewrite itself as it learns and adapts. Armies of script kiddies could use purpose-built LLMs to unleash a torrent of malicious code at the push of a button.

Case in point: as of this writing, an AI system is sitting at the top of several leaderboards on HackerOne—an enterprise bug bounty system. The AI is XBOW, a system aimed at whitehat pentesters that “autonomously finds and exploits vulnerabilities in 75 percent of web benchmarks,” according to the company’s website.

AI-assisted hackers are a major fear in the cybersecurity industry, even if their potential hasn’t quite been realized yet. “I compare it to being on an emergency landing on an aircraft where it’s like ‘brace, brace, brace’ but we still have yet to impact anything,” Hayden Smith, the cofounder of security company Hunted Labs, tells WIRED. “We’re still waiting to have that mass event.”

Generative AI has made it easier for anyone to code. The LLMs improve every day, new models spit out more efficient code, and companies like Microsoft say they’re using AI agents to help write their codebase. Anyone can spit out a Python script using ChatGPT now, and vibe coding—asking an AI to write code for you, even if you don’t have much of an idea how to do it yourself—is popular; but there’s also vibe hacking.

“We’re going to see vibe hacking. And people without previous knowledge or deep knowledge will be able to tell AI what it wants to create and be able to go ahead and get that problem solved,” Katie Moussouris, the founder and CEO of Luta Security, tells WIRED.

Vibe hacking frontends have existed since 2023. Back then, a purpose-built LLM for generating malicious code called WormGPT spread on Discord groups, Telegram servers, and darknet forums. When security professionals and the media discovered it, its creators pulled the plug.

WormGPT faded away, but other services that billed themselves as blackhat LLMs, like FraudGPT, replaced it. But WormGPT’s successors had problems. As security firm Abnormal AI notes, many of these apps may have just been jailbroken versions of ChatGPT with some extra code to make them appear as if they were a stand-alone product.

Better then, if you’re a bad actor, to just go to the source. ChatGPT, Gemini, and Claude are easily jailbroken. Most LLMs have guard rails that prevent them from generating malicious code, but there are whole communities online dedicated to bypassing those guardrails. Anthropic even offers a bug bounty to people who discover new ones in Claude.

“It’s very important to us that we develop our models safely,” an OpenAI spokesperson tells WIRED. “We take steps to reduce the risk of malicious use, and we’re continually improving safeguards to make our models more robust against exploits like jailbreaks. For example, you can read our research and approach to jailbreaks in the GPT-4.5 system card, or in the OpenAI o3 and o4-mini system card.”

Google did not respond to a request for comment.

In 2023, security researchers at Trend Micro got ChatGPT to generate malicious code by prompting it into the role of a security researcher and pentester. ChatGPT would then happily generate PowerShell scripts based on databases of malicious code.

“You can use it to create malware,” Moussouris says. “The easiest way to get around those safeguards put in place by the makers of the AI models is to say that you’re competing in a capture-the-flag exercise, and it will happily generate malicious code for you.”

Unsophisticated actors like script kiddies are an age-old problem in the world of cybersecurity, and AI may well amplify their profile. “It lowers the barrier to entry to cybercrime,” Hayley Benedict, a Cyber Intelligence Analyst at RANE, tells WIRED.

But, she says, the real threat may come from established hacking groups who will use AI to further enhance their already fearsome abilities.

“It’s the hackers that already have the capabilities and already have these operations,” she says. “It’s being able to drastically scale up these cybercriminal operations, and they can create the malicious code a lot faster.”

Moussouris agrees. “The acceleration is what is going to make it extremely difficult to control,” she says.

Hunted Labs’ Smith also says that the real threat of AI-generated code is in the hands of someone who already knows the code in and out who uses it to scale up an attack. “When you’re working with someone who has deep experience and you combine that with, ‘Hey, I can do things a lot faster that otherwise would have taken me a couple days or three days, and now it takes me 30 minutes.’ That's a really interesting and dynamic part of the situation,” he says.

According to Smith, an experienced hacker could design a system that defeats multiple security protections and learns as it goes. The malicious bit of code would rewrite its malicious payload as it learns on the fly. “That would be completely insane and difficult to triage,” he says.

Smith imagines a world where 20 zero-day events all happen at the same time. “That makes it a little bit more scary,” he says.

Moussouris says that the tools to make that kind of attack a reality exist now. “They are good enough in the hands of a good enough operator,” she says, but AI is not quite good enough yet for an inexperienced hacker to operate hands-off.

“We’re not quite there in terms of AI being able to fully take over the function of a human in offensive security,” she says.

The primal fear that chatbot code sparks is that anyone will be able to do it, but the reality is that a sophisticated actor with deep knowledge of existing code is much more frightening. XBOW may be the closest thing to an autonomous “AI hacker” that exists in the wild, and it’s the creation of a team of more than 20 skilled people whose previous work experience includes GitHub, Microsoft, and a half a dozen assorted security companies.

It also points to another truth. “The best defense against a bad guy with AI is a good guy with AI,” Benedict says.

For Moussouris, the use of AI by both blackhats and whitehats is just the next evolution of a cybersecurity arms race she’s watched unfold over 30 years. “It went from: ‘I’m going to perform this hack manually or create my own custom exploit,’ to, ‘I’m going to create a tool that anyone can run and perform some of these checks automatically,’” she says.

“AI is just another tool in the toolbox, and those who do know how to steer it appropriately now are going to be the ones that make those vibey frontends that anyone could use.”

Tag

#intel